Problem pinging RRAS server from outside the network

RRAS has been working successfully for a few years. Last week something seems to have changed and we are no longer able to ping the public IP Address that is port forwarded to the Windows 2k3 server IP Address 192.168.100.3

From the 192.168.100.3 server, if we go to http://canyouseeme.org we see our public IP address. When we check Port 1723 (PPTP port) we get a successful reply which leads us to believe that both the firewall and ISP are not blocking this port.

Is ICMP traffic set to be blocked anywhere? If so, there possibly lies your issue. You need to check the ASA and the server. Also, have you tried pinging the server's private IP address from within the network? If this works, then the issue points to the ASA. If this doesn't work, then it points to the server itself.

While you mention that you cannot ping the server, it also sounds like the server has not been down either. Is that correct?

0

Mike OrtherSystems EngineerAuthor Commented: 2016-10-04

Thanks masnrock for the reply. I am able to ping the internal address of the server.

ICMP is exactly the same on the ASA as it was 4 months ago when I made my last backup. Below are the ICMP settings.

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

So the problem is definitely within the ASA. Have you tried clearing out the ICMP configuration, then setting it up again with the same rule?

Another step you can try is to change "outsideif_in" to "outside_in" on line 7.

0

Mike OrtherSystems EngineerAuthor Commented: 2016-10-07

Thanks Masnrock: I tried what you suggested, but no luck. Still unable to ping the from outside the network. This is really crazy, because this was working and nothing had changed on my side. No firewall or server changes.

Can you pull up any firewall logs that may help? Usually there is going to be something that will indicate what rule denied or rejected it?

0

Mike OrtherSystems EngineerAuthor Commented: 2016-10-26

Hello Masnrock. You were correct, there was a problem with the ICMP. We ended up adding the last line "icmp-object echo" and that fixed the issue. Really not sure how this was working before, but happy it is now.